A computer-implemented method includes receiving an input containing a candidate netlist, a target, and a number, K, of cycles of interest, where K represents a number of cycles required to be analyzed for the proof-based abstraction. In response to receiving the inputs, a computing device builds an inductively unrolled netlist, utilizing random, symbolic initial values, for K cycles and provides the unrolled netlist with a first initial value constraint to a satisfiability (SAT) solver, with the first initial value constraint empty. The method includes determining whether a result of the SAT solver is satisfiable, and in response to the result not being satisfiable, performing an abstraction on the netlist and outputting the abstraction. However, in response to the result being satisfiable, the method includes performing one of: (a) outputting a valid counterexample of the original netlist; and (b) lazily adding initial value constraints to avoid spurious counterexamples.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method for performing proof-based abstraction via a computing device, the method comprising: receiving an input containing a candidate netlist (N 1 ), a target (T 1 ), and a number, K, of cycles of interest, wherein K is an integer number that represents a number of cycles that are required to be analyzed for the proof-based abstraction; in response to receiving the inputs, building, by a processor of the computing device, an inductively unrolled netlist, utilizing random, symbolic initial values, for K cycles; providing the unrolled netlist with a first initial value constraint to a satisfiability (SAT) solver where the first initial value constraint is empty; receiving a result of the SAT solver; determining whether the result of the SAT solver is satisfiable; in response to the result of the SAT solver not being satisfiable, performing an abstraction on the netlist and outputting the abstraction; and in response to the result of the SAT solver being satisfiable, performing one of: (a) outputting a valid counterexample of the original netlist; and (b) lazily adding initial value constraints to avoid spurious counterexamples.
A computer system performs proof-based abstraction. It receives a digital circuit design (netlist), a property to verify (target), and a number of simulation cycles (K). The system creates an unrolled version of the circuit for K cycles, using random values for the initial state. It then uses a SAT solver to determine if the circuit satisfies the target property. If the SAT solver finds a problem, the system simplifies (abstracts) the circuit. If the SAT solver finds a solution, it outputs a counterexample showing the problem, or adds constraints to initial values to avoid incorrect counterexamples.
2. The computer-implemented method of claim 1 , wherein outputting a valid counter example comprises: analyzing a resulting counterexample (CEX) and determining whether the resulting CEX generated is a valid CEX of the original netlist (N 1 ); in response to determining that the resulting CEX is valid, outputting the CEX; and in response to the CEX not being a valid CEX of the original netlist, analyzing the resulting CEX and determining a minimal initial value constraint that needs to be added to the unrolled netlist to avoid the resulting CEX.
If the SAT solver generates a potential problem (counterexample), the system checks if the counterexample is valid for the original circuit design. If the counterexample is valid, it is outputted. If the counterexample is not valid, the system analyzes the counterexample to determine the smallest set of initial value constraints that must be added to the unrolled netlist to avoid this particular spurious counterexample in future SAT solving attempts.
3. The computer-implemented method of claim 2 , further comprising: generating updated initial value constraints by adding minimal initial value constraints to a previous initial value constraint; re-running the SAT solver with the updated initial value constraints; and incrementally re-running the SAT solver with a next updated initial value constraints until a resulting CEX is valid on the original netlist, wherein incrementally re-running the SAT solver enables the SAT solver to maintain one or more previously learned clauses and enables faster SAT solver run times.
The method described previously refines initial value constraints iteratively. It generates updated initial value constraints by adding the minimal initial value constraints (identified from analyzing the invalid counterexample per the method described in Claim 2) to the previous constraints. It then reruns the SAT solver with these updated constraints. This process is repeated until the SAT solver finds a valid counterexample for the original design. Importantly, the SAT solver reuses previously learned information (clauses) during each iteration, speeding up subsequent runs.
4. The computer-implemented method of claim 2 , wherein analyzing the resulting CEX comprises: forwarding a set of input parameters to a subroutine to perform the analyzing of the CEX; and receiving from the subroutine a result indicating which initial value constraints are required to be added to avoid the resulting CEX from being a spurious CEX, wherein the resulting CEX is a spurious CEX that is not valid on the original netlist when not enough initial value information was given to the SAT solver.
The analysis of a resulting (potentially invalid) counterexample is performed by sending relevant information to a subroutine. The subroutine determines which initial value constraints are needed to prevent the SAT solver from producing spurious counterexamples. A spurious counterexample arises when the SAT solver doesn't have enough information about the circuit's initial state and therefore reports an issue that doesn't actually exist in the original design.
5. The computer-implemented method of claim 2 , wherein: the unrolled netlist is built without inlining register initial values, and building the unrolled netlist comprises inserting RANDOM gates to represent an unconstrained initial state; and analyzing the resulting CEX and determining whether the resulting CEX is valid on the original netlist comprises: imposing true initial values of the original netlist during a run of the SAT solver; and determining if the target is still asserted, while adhering to the RANDOM gate valuations in the CEX.
The unrolled netlist is built without specifying register initial values directly. Instead, "RANDOM" gates are used to represent unknown initial states. When checking if a counterexample is valid (as per Claim 2), the true initial values of the original netlist are imposed. During the SAT solver run, it's determined if the target property is still violated while respecting the "RANDOM" gate values from the counterexample.
6. The computer-implemented method of claim 2 , wherein lazily adding initial value constraints to avoid spurious counterexamples comprises: minimizing a number of necessary register initial value assignments in a counterexample by performing a ternary simulation iteratively utilizing an unassigned value of X for each register whose initial value is one of a “0” and a “1”; determining if propagating an assigned X value for a particular register through the unrolled netlist drives the target to a 1 value; in response to the propagation of the X value still driving the target to a 1 value, tagging an initial value assignment of that particular register as irrelevant to the counterexample; in response to the propagation of the X value not driving the target to the 1 value, restoring the particular register to its the initial value.
Adding initial value constraints to prevent incorrect counterexamples is done "lazily" by minimizing the number of register initial values that need to be specified. This is achieved by iteratively performing ternary simulation (using 0, 1, and X, where X is unassigned) on the unrolled netlist. For each register, its initial value is temporarily set to X. If propagating this X value through the circuit still violates the target property, then the register's initial value is considered irrelevant to the counterexample, and its initial value assignment is tagged as irrelevant. Otherwise, if the propagation of X no longer drives the target to its failure state, the register's initial value is restored.
7. The computer-implemented method of claim 6 , further comprising: initializing a set R 1 to be equal to a set of all registers that have a non_X cycle 0 value in the resulting CEX; determining whether R 1 is empty; in response to R 1 being empty, returning the resulting CEX as a valid counterexample; in response to R 1 not being empty, selecting a first register (r) in R 1 and assigning a cycle 0 value of the register r in the resulting counterexample to X; removing the selected register from R 1 ; performing a sequential ternary simulation of the registers of the resulting CEX on the netlist and determining whether one or more of the ternary simulation results in an assertion of the target; in response to the ternary simulation of a first register asserting the target, undoing a change made to the first register of the resulting CEX; and iterating the ternary simulation for a next register in R 1 .
Building upon the previous claim about lazy constraint addition, a set R1 is initialized to contain all registers with a non-X (i.e., 0 or 1) initial value in the counterexample. If R1 is empty, the counterexample is considered valid. Otherwise, a register *r* from R1 is selected, and its initial value in the counterexample is set to X. *r* is then removed from R1. A ternary simulation is performed on the circuit with this modified counterexample. If the target is still violated, the change to *r*'s value is undone. This process is repeated for each remaining register in R1.
8. The computer-implemented method of claim 7 , further comprising: determining a minimal set of registers whose initial value constraints need to be added to avoid a spurious CEX; initializing a set S 1 to be equal to the initial state of the resulting CEX; performing a SAT analysis and identifying registers whose valuation in S 1 is inconsistent with the initial state of the netlist; analyzing an unsatisfiable core of a resulting SAT solver to identify a minimal subset of registers responsible for a conflict, wherein the minimal subset is smaller than a subset of a previously-minimized trace; and setting R 1 to be equal to the set of all registers whose values are inconsistent.
Building on the previous claim, this claim further details how to minimize initial value constraints. A minimal set of registers needing constraints to avoid spurious counterexamples is determined as follows: A set S1 is initialized with the initial state of the counterexample. A SAT analysis identifies registers in S1 whose values are inconsistent with the possible initial states of the netlist. The unsatisfiable core of the SAT solver (the smallest set of constraints causing the conflict) is analyzed to identify a minimal subset of registers responsible for the conflict. The set R1 (from Claim 7) is then set to be the set of all registers with inconsistent values. This improves on previous minimization by analyzing the unsatisfiable core, which will be smaller than analyzing a previously-minimized trace.
9. The computer-implemented method of claim 1 , further comprising: building new initial value constraints utilizing R 1 as an input set of registers; generating combined initial value constraints by combining the new initial value constraints with a previous set of initial value constraints; and generating one of an abstraction and a new CEX as a result from the SAT solver utilizing the combined initial value constraints.
New initial value constraints are created based on the registers in set R1 (as defined in claim 8). These new constraints are combined with any existing initial value constraints. The SAT solver is then rerun, using these combined constraints, to generate either an abstraction of the circuit or a new counterexample.
10. A computing device for performing proof-based abstraction, the computing device comprising a processor, an input device, an output device, and a memory with program code that is executed by the processor to cause the computing device to: receive an input containing a candidate netlist (N 1 ), a target (T 1 ), and a number, K, of cycles of interest, wherein K is an integer number that represents a number of cycles that are required to be analyzed for the proof-based abstraction; in response to receiving the inputs, build an inductively unrolled netlist, utilizing random, symbolic initial values, for K cycles; provide the unrolled netlist with a first initial value constraint to a satisfiability (SAT) solver where the first initial value constraint is empty; receive a result of the SAT solver; determine whether the result of the SAT solver is satisfiable; in response to the result of the SAT solver not being satisfiable, perform an abstraction on the netlist and outputting the abstraction; and in response to the result of the SAT solver being satisfiable, perform one of: (a) outputting a valid counterexample of the original netlist; and (b) lazily adding initial value constraints to avoid spurious counterexamples.
This invention relates to a computing device for performing proof-based abstraction in digital circuit verification. The device addresses the challenge of efficiently verifying the correctness of digital circuits by analyzing their behavior over a specified number of cycles (K) using formal verification techniques. The system receives an input containing a candidate netlist (N1), a target property (T1), and the number of cycles (K) to analyze. The netlist represents the digital circuit's structure, while the target defines the property to be verified. The device then builds an inductively unrolled netlist for K cycles, using random or symbolic initial values to represent the circuit's initial state. This unrolled netlist is provided to a satisfiability (SAT) solver with an initially empty initial value constraint. The SAT solver checks whether the unrolled netlist satisfies the target property. If the result is unsatisfiable, the device performs an abstraction of the netlist and outputs the abstraction. If the result is satisfiable, the device either outputs a valid counterexample (indicating a violation of the target property) or lazily adds initial value constraints to avoid spurious counterexamples (false violations). This approach improves the efficiency and accuracy of formal verification by dynamically adjusting constraints to reduce unnecessary computations.
11. The computing device of claim 10 , wherein the program code that causes the computing device to output a valid counter example further causes the computing device to: analyze a resulting counterexample (CEX) and determine whether the resulting CEX generated is a valid CEX of the original netlist (N 1 ); in response to determining that the resulting CEX is valid, output the CEX; and in response to the CEX not being a valid CEX of the original netlist: analyze the resulting CEX and determining a minimal initial value constraint that needs to be added to the unrolled netlist to avoid the resulting CEX; generating updated initial value constraints by adding minimal initial value constraints to a previous initial value constraint; re-running the SAT solver with the updated initial value constraints; and incrementally re-running the SAT solver with a next updated initial value constraints until a resulting CEX is valid on the original netlist, wherein incrementally re-running the SAT solver enables the SAT solver to maintain one or more previously learned clauses and enables faster SAT solver run times.
The computing device, as described in the previous claim, when outputting a valid counterexample, the program code also causes the device to analyze the resulting counterexample (CEX) to see if it's valid for the original netlist. If valid, the CEX is output. If not valid, the device determines a minimal initial value constraint to add to the unrolled netlist to avoid this CEX. Updated initial value constraints are generated by adding these minimal constraints to previous constraints. The SAT solver is rerun incrementally with these updated constraints until a valid CEX for the original netlist is found. Re-running the SAT solver incrementally allows it to reuse learned clauses for faster execution.
12. The computing device of claim 11 , wherein the program code that causes the computing device to analyze the resulting CEX comprises program code that causes the computing device to: forward a set of input parameters to a subroutine to perform the analyzing of the CEX, wherein the unrolled netlist is built without inlining register initial values, and building the unrolled netlist comprises inserting RANDOM gates to represent an unconstrained initial state; analyze the resulting CEX and determine whether the resulting CEX is valid on the original netlist by: imposing true initial values of the original netlist during a run of the SAT solver; and determining if the target is still asserted, while adhering to the RANDOM gate valuations in the CEX; and receive from the subroutine a result indicating which initial value constraints are required to be added to avoid the resulting CEX from being a spurious CEX, wherein the resulting CEX is a spurious CEX that is not valid on the original netlist when not enough initial value information was given to the SAT solver.
Building on claim 11, the analysis of the counterexample (CEX) involves forwarding input parameters to a subroutine. The unrolled netlist is built without inlining register initial values, and instead uses RANDOM gates for an unconstrained initial state. The program code that causes the device to analyze the resulting CEX comprises imposing true initial values of the original netlist during a run of the SAT solver, and determining if the target is still asserted, while adhering to the RANDOM gate valuations in the CEX. The subroutine returns the required initial value constraints to avoid a spurious CEX (one that's invalid because not enough initial information was given to the SAT solver).
13. The computing device of claim 11 , wherein the program code for lazily adding initial value constraints to avoid spurious counterexamples comprises program code that causes the computing device to: minimize a number of necessary register initial value assignments in a counterexample by performing a ternary simulation iteratively utilizing an unassigned value of X for each register whose initial value is one of a “0” and a “1”; determine if propagating an assigned X value for a particular register through the unrolled netlist drives the target to a 1 value; in response to the propagation of the X value still driving the target to a 1 value, tag an initial value assignment of that particular register as irrelevant to the counterexample; and in response to the propagation of the X value not driving the target to the 1 value, restore the particular register to its the initial value.
Building on claim 11, the lazy addition of initial value constraints to avoid spurious counterexamples is implemented by minimizing the number of necessary register initial value assignments. This is done through ternary simulation (using 0, 1, and X for unassigned) iteratively. If propagating an X value for a register still leads to the target being asserted, the register's initial value is marked as irrelevant. Otherwise, the register's initial value is restored.
14. The computing device of claim 11 , wherein the program code further comprises program code that causes the computing device to: initialize a set R 1 to be equal to a set of all registers that have a non_X cycle 0 value in the resulting CEX; determine whether R 1 is empty; in response to R 1 being empty, return the resulting CEX as a valid counterexample; in response to R 1 not being empty, select a first register (r) in R 1 and assigning a cycle 0 value of the register r in the resulting counterexample to X; remove the selected register from R 1 ; perform a sequential ternary simulation of the registers of the resulting CEX on the netlist and determine whether one or more of the ternary simulation results in an assertion of the target; in response to the ternary simulation of a first register asserting the target, undo a change made to the first register of the resulting CEX; and iterate the ternary simulation for a next register in R 1 .
Building on claim 11, a set R1 is initialized with all registers having a non-X value at cycle 0 of the counterexample. If R1 is empty, the CEX is valid. Otherwise, a register *r* in R1 has its cycle 0 value set to X and is removed from R1. Sequential ternary simulation is run, and if any simulation asserts the target, the change to *r* is undone. This repeats for each register in R1.
15. The computing device of claim 14 , wherein the program code further comprises code that causes the computing device to: determine a minimal set of registers whose initial value constraints need to be added to avoid a spurious CEX; initialize a set S 1 to be equal to the initial state of the resulting CEX; perform a SAT analysis and identifying registers whose valuation in S 1 is inconsistent with the initial state of the netlist; analyze an unsatisfiable core of a resulting SAT solver to identify a minimal subset of registers responsible for a conflict, wherein the minimal subset is smaller than a subset of a previously-minimized trace; and set R 1 to be equal to the set of all registers whose values are inconsistent.
Building on claim 14, minimizing initial value constraints to avoid spurious CEX involves: initializing a set S1 with the CEX's initial state; using SAT analysis to find registers in S1 inconsistent with the netlist's initial state; analyzing the unsatisfiable core to find a minimal subset of conflicting registers (smaller than previously minimized traces); and setting R1 to be all registers with inconsistent values.
16. The computing device of claim 10 , wherein the program code further comprises code that causes the computing device to: build new initial value constraints utilizing R 1 as an input set of registers; generate combined initial value constraints by combining the new initial value constraints with a previous set of initial value constraints; and generate one of an abstraction and a new CEX as a result from the SAT solver utilizing the combined initial value constraints.
Building on Claim 10, the program code further builds new initial value constraints based on the registers in set R1. It then combines these new constraints with any existing ones. Finally, it runs the SAT solver again using the combined constraints, generating either an abstraction of the circuit or a new counterexample.
17. A computer program product for performing proof-based abstraction, the computer program product comprising: a computer readable device; and program code on the computer readable device, which program code is configured to be executed by a processor within a computing device to cause the computing device to: receive an input containing a candidate netlist (N 1 ), a target (T 1 ), and a number, K, of cycles of interest, wherein K is an integer number that represents a number of cycles that are required to be analyzed for the proof-based abstraction; in response to receiving the inputs, build an inductively unrolled netlist, utilizing random, symbolic initial values, for K cycles; provide the unrolled netlist with a first initial value constraint to a satisfiability (SAT) solver where the first initial value constraint is empty; receive a result of the SAT solver; determine whether the result of the SAT solver is satisfiable; in response to the result of the SAT solver not being satisfiable, perform an abstraction on the netlist and outputting the abstraction; and in response to the result of the SAT solver being satisfiable, perform one of: (a) outputting a valid counterexample of the original netlist; and (b) lazily adding initial value constraints to avoid spurious counterexamples.
A computer program product for proof-based abstraction comprises a computer-readable storage device and program code. The program code causes a computing device to receive a netlist, target, and number of cycles (K). The code builds an unrolled netlist for K cycles using random initial values, provides it to a SAT solver with an empty initial value constraint, receives the SAT solver's result, and determines if the result is satisfiable. If not satisfiable, the code performs abstraction and outputs it. If satisfiable, the code outputs a valid counterexample or lazily adds initial value constraints to avoid spurious counterexamples.
18. The computer program product of claim 17 , wherein the program code that causes the computing device to output a valid counter example further includes code that causes the computing device to: analyze a resulting counterexample (CEX) and determine whether the resulting CEX generated is a valid CEX of the original netlist (N 1 ); in response to determining that the resulting CEX is valid, output the CEX; and in response to the CEX not being a valid CEX of the original netlist: analyze the resulting CEX and determining a minimal initial value constraint that needs to be added to the unrolled netlist to avoid the resulting CEX; generating updated initial value constraints by adding minimal initial value constraints to a previous initial value constraint; re-running the SAT solver with the updated initial value constraints; and incrementally re-running the SAT solver with a next updated initial value constraints until a resulting CEX is valid on the original netlist, wherein incrementally re-running the SAT solver enables the SAT solver to maintain one or more previously learned clauses and enables faster SAT solver run times.
The computer program product as described in the previous claim, when outputting a valid counterexample, the program code also analyzes the resulting counterexample (CEX) to see if it's valid for the original netlist. If valid, the CEX is output. If not valid, the code determines a minimal initial value constraint to add to the unrolled netlist to avoid this CEX. Updated initial value constraints are generated by adding these minimal constraints to previous constraints. The SAT solver is rerun incrementally with these updated constraints until a valid CEX for the original netlist is found. Re-running the SAT solver incrementally allows it to reuse learned clauses for faster execution.
19. The computer program product of claim 18 , wherein the program code that causes the computing device to analyze the resulting CEX comprises program code that causes the computing device to: forward a set of input parameters to a subroutine to perform the analyzing of the CEX, wherein the unrolled netlist is built without inlining register initial values, and building the unrolled netlist comprises inserting RANDOM gates to represent an unconstrained initial state; analyze the resulting CEX and determine whether the resulting CEX is valid on the original netlist by: imposing true initial values of the original netlist during a run of the SAT solver; and determining if the target is still asserted, while adhering to the RANDOM gate valuations in the CEX; and receive from the subroutine a result indicating which initial value constraints are required to be added to avoid the resulting CEX from being a spurious CEX, wherein the resulting CEX is a spurious CEX that is not valid on the original netlist when not enough initial value information was given to the SAT solver.
Building on Claim 18, the program code analyzes the counterexample (CEX) by forwarding input parameters to a subroutine. The unrolled netlist is built without inlining register initial values, instead using RANDOM gates. The subroutine imposes true initial values of the original netlist during a run of the SAT solver, and determines if the target is still asserted, while adhering to the RANDOM gate valuations in the CEX. The subroutine then returns the required initial value constraints to avoid a spurious CEX.
20. The computer program product of claim 18 , wherein the program code for lazily adding initial value constraints to avoid spurious counterexamples comprises program code that causes the computing device to: minimize a number of necessary register initial value assignments in a counterexample by performing a ternary simulation iteratively utilizing an unassigned value of X for each register whose initial value is one of a “0” and a “1”; determine if propagating an assigned X value for a particular register through the unrolled netlist drives the target to a 1 value; in response to the propagation of the X value still driving the target to a 1 value, tag an initial value assignment of that particular register as irrelevant to the counterexample; and in response to the propagation of the X value not driving the target to the 1 value, restore the particular register to its the initial value.
Building on claim 18, the lazy addition of initial value constraints to avoid spurious counterexamples is implemented by minimizing the number of necessary register initial value assignments. This is done through ternary simulation (using 0, 1, and X for unassigned) iteratively. If propagating an X value for a register still leads to the target being asserted, the register's initial value is marked as irrelevant. Otherwise, the register's initial value is restored.
21. The computer program product of claim 18 , wherein the program code that causes the computing device to analyze the resulting CEX comprises program code that causes the computing device to: initialize a set R 1 to be equal to a set of all registers that have a non_X cycle 0 value in the resulting CEX; determine whether R 1 is empty; in response to R 1 being empty, return the resulting CEX as a valid counterexample; in response to R 1 not being empty, select a first register (r) in R 1 and assigning a cycle 0 value of the register r in the resulting counterexample to X; remove the selected register from R 1 ; perform a sequential ternary simulation of the registers of the resulting CEX on the netlist and determine whether one or more of the ternary simulation results in an assertion of the target; in response to the ternary simulation of a first register asserting the target, undo a change made to the first register of the resulting CEX; and iterate the ternary simulation for a next register in R 1 .
Building on claim 18, the program code initializes a set R1 with all registers having a non-X value at cycle 0 of the counterexample. If R1 is empty, the CEX is valid. Otherwise, a register *r* in R1 has its cycle 0 value set to X and is removed from R1. Sequential ternary simulation is run, and if any simulation asserts the target, the change to *r* is undone. This repeats for each register in R1.
22. The computer program product of claim 21 , wherein the program code further comprises code that causes the computing device to: determine a minimal set of registers whose initial value constraints need to be added to avoid a spurious CEX; initialize a set S 1 to be equal to the initial state of the resulting CEX; perform a SAT analysis and identifying registers whose valuation in S 1 is inconsistent with the initial state of the netlist; analyze an unsatisfiable core of a resulting SAT solver to identify a minimal subset of registers responsible for a conflict, wherein the minimal subset is smaller than a subset of a previously-minimized trace; and set R 1 to be equal to the set of all registers whose values are inconsistent.
Building on claim 21, the program code for minimizing initial value constraints involves: initializing a set S1 with the CEX's initial state; using SAT analysis to find registers in S1 inconsistent with the netlist's initial state; analyzing the unsatisfiable core to find a minimal subset of conflicting registers (smaller than previously minimized traces); and setting R1 to be all registers with inconsistent values.
23. The computer program product of claim 17 , wherein the program code further comprises code that causes the computing device to: build new initial value constraints utilizing R 1 as an input set of registers; generate combined initial value constraints by combining the new initial value constraints with a previous set of initial value constraints; and generate one of an abstraction and a new CEX as a result from the SAT solver utilizing the combined initial value constraints.
Building on Claim 17, the program code further builds new initial value constraints based on the registers in set R1. It then combines these new constraints with any existing ones. Finally, it runs the SAT solver again using the combined constraints, generating either an abstraction of the circuit or a new counterexample.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 25, 2012
September 3, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.